[wp-hackers] 2 Questions: $_REQUEST equivalent and using GET in mod_rewrite

Alex Andrews awgandrews at gmail.com
Tue Aug 28 17:55:01 GMT 2007


On 28/08/07, jacobsantos at branson.com <jacobsantos at branson.com> wrote:
> Rob Miller wrote:
> > jacobsantos at branson.com wrote:
> >> 1. Using $_REQUEST is like asking hackers to pwn your site. "Yes, I
> >> want you to hack me" Don't use it. The reason for WordPress using
> >> $_POST for form data and $_GET for url data is for the same reason
> >> register globals is terrible security risk. $_REQUEST is similar to
> >> using $_REQUEST and you don't know if it is coming from the Server
> >> (HTTP), form, or url.
> >>
> >> You must know since you created the plugin, so find out and use the
> >> correct super global. If you kept this and released it GPL, the first
> >> thing I will do is convert it to the right super global.
> > What on earth? So long as you handle the data appropriately it doesn't
> > matter where it comes from. CSRF attacks, for example, are possible
> > with both GET and POST; so are SQL injections; so are XSS attacks, etc.
> >
> > Only using $_GET or only using $_POST will not make your scripts even
> > slightly more secure.
> >
> Yes, you still need to sanitize or you'll still be hackable. However,
> with $_GET and $_POST, you at least know where the information is coming
> from, which is safer than relying on $_REQUEST is coming from a form
> like you expect. Besides that, I would say it doesn't inform upon the
> intention of the developer of where he is seeking the input. Finally, it
> is bad coding practice because of the above.
>
> Jacob Santos
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

What WP filter does one run it through to make sure it is okay and
strip it? santize_title?

Alex


More information about the wp-hackers mailing list